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Abstract 

ji ' This paper investigates under which conditions instantiation-based 

proof procedures can be combined in a nested way, in order to mechani- 
cally construct new instantiation procedures for richer theories. Interest- 
ing applications in the field of verification are emphasized, particularly for 

^ ' handling extensions of the theory of arrays. 

I> ' 

CO 

5} ! 1 Introduction 

^*" ' Proving the satisfiability or unsatisfiability of a first-order formula (possibly 

modulo some background theory) is an essential problem in computer science 
- in particular for the automatic verification of complex systems, and instan- 
tiation schemes can be used for this purpose. Such schemes can be viewed as 
functions O that map a set of formulae (or clauses) S to a set of ground (i.e. 
^^ . without variable) instances Q(S) of S. An instantiation scheme is refutation- 

$— i ' ally complete if for all sets of clauses S, Q(S) is satisfiable exactly when S is. 

Examples of refutationally complete instantiation schemes include ;22. 241117115] . 
It is clear that an instantiation scheme that is refutationally complete does not 
always terminate, as Q(S) may be infinite, but schemes that are both complete 
and terminating can be defined for specific classes of clause sets, that are thus 
decidable. A trivial and well-known example is the Bernays-Schonfinkel class 
(i.e. the class of purely universal formulae without function symbols of arity 
distinct from 0, see, e.g., [H]), since in this case the set of ground instances is 
finite. Other examples include the class of stratified clause sets [T] and many 
classes of clause sets of the form Q U A, where Q is a set of ground formulae and 
A is the set of axioms of a specific theory, for instance the theory of arrays [5] . 
In this last case, of course, only the axioms in A need to be instantiated. 
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Instantiation schemes can also be denned for specific theories for which deci- 
sion procedures exist. Then, the theory is not axiomatized, but directly handled 
by an external prover - used as a "black box". In this case, the instantiation 
procedure should preserve the validity of the formula modulo the considered the- 
ory. Such procedures are appealing, because it is usually much easier to check 
the validity of a ground set than that of a non-ground set (see for instance [7]). 

Frequently, one has to handle heterogeneous problems, defined on complex 
theories for which no instantiation procedure exists. Such theories are frequently 
obtained by combining simpler theories. For instance the theory describing a 
data-structure (arrays, list, etc.) may be combined with the theory modeling 
the elements it contains (e.g., integers). Most systems rely on the Nelson-Oppcn 
method (and its numerous refinements) to reason on combination of theories. 
This scheme allows one - under certain conditions - to combine independent 
decision procedures (see, e.g., [27] ), but it is of no use for reasoning on theories 
that include axioms containing function or predicate symbols from both theories. 
As an example, consider the following formula: 

Vi,j : nat, i < j => select(£, i) < se\ect(t,j), 

that states that an array t is sorted. This formula uses symbols from the theory 
of integers (the predicate <) and from the theory of arrays (the function select, 
which returns the value stored in a certain array at a certain index). 

In this paper, we show how to construct automatically instantiation schemes 
for such axioms, by combining existing instantiation schemes. More precisely, 
from two complete instantiation procedures 0pj and 0^ for the theory of inte- 
gers and for the theory of arrays respectively, we construct a new procedure 6 
which is able to handle a particular class of "mixed" axioms, containing function 
symbols from both theories (including for instance the axioms for sorted arrays 
and many others) . 9 will be complete and terminating if both On and Oa are 
(as proven in Section [373]) . This approach is not restricted to specific theories 
such as 0n and 0a; on the contrary it is generic and applies to a wide range of 
theories and some examples are provided in Section [4] The conditions that must 
be satisfied by the considered theories and by their instantiation procedures are 
very precisely identified (sec Section [ 



Comparison with Related Work 

There is an extensive amount of work on the combination of (usually disjoint) 
theories, using mainly refinements or extensions of the Nelson-Oppen method 
(see, e.g., [UJ|8]). For instance, [14] shows that many decidable fragments of 
first-order logic can be combined with any disjoint theory, even if these fragments 
do not fulfill the stable infiniteness condition in general. A related result is 
presented in [15] for the theory of lists (with a length function). However, these 
results do not apply to non-disjoint theories as the ones we consider in this 
paper, and they cannot handle nested combinations of arbitrary theories. 

Reasoning on the combination of theories with mixed axioms has been rec- 
ognized as an important problem and numerous solutions have been proposed 



in many specific cases. Most existing work focuses on testing the satisfiability 
problem of ground formula; in combinations or extensions of existing theories. 
In contrast, our method aims at reducing non- ground satisfiability to ground 
satisfiability tests, via instantiation. 

For instance, [B] define a decision procedure for extensions of the theory 
of arrays with integer elements, which is able to handle axioms such as the one 
above for sorted arrays. As we shall see in Section[4l our approach, when applied 
to these particular theories, permits to handle a strictly more expressive class 
of quantified formulae. 

[T9"] focuses on arrays with integer indices and devises a method to combine 
existing decision procedures (for Presburger arithmetic and for the theory of 
arrays). This method is able to handle some important specific features of 
arrays such as sortedness or array dimension. Similarly to our approach, theirs 
is based on an instantiation of the axioms. As we shall see, some of its features 
can be tackled with our method and others (such as Injectivity) are out of its 
scope. However, our method is generic in the sense that it applies to a wide 
class of theories and axioms (in particular, it applies to axioms that are not 
considered in [19]). It is essentially syntactic, whereas that of [19] is more of a 
semantic nature. 

A logic devoted to reasoning with arrays of integers is presented is [2T] and 
the decidability of the satisfiability problem is established by reduction to the 
emptiness problem for counter automata. In Section 3] we shall show that the 
expressive power of this logic is again incomparable with the one we obtain with 
our approach. 

[18 proposes an instantiation scheme for sets of clauses possibly containing 
arithmetic literals, which can handle some of the axioms we consider. However 
termination is not guaranteed for this scheme, in contrast to ours. 

Slightly closer to our approach is the work described in [25, 26 , which defines 
the notion of the (stably) local extension of a theory and shows that the satisfi- 
ability problem in a (stably) local extension of a theory A can be reduced to a 
mere satisfiability test in A. The notion of a local extension is a generalization 
of the notion of a local theory [IB]. The idea is that, for testing the satisfiability 
of a ground formula Q in the local extension of a theory, it is sufficient to instan- 
tiate the variables occurring in the new axioms by ground terms occurring either 
in Q or in the axioms. This condition holds for numerous useful extensions of 
base theories, including for instance extensions with free functions, with selector 
functions for an injective constructor, with monotone functions over integers or 
reals etc. Our approach departs from these results because our goal is not to 
extend basic theories, but rather to combine existing instantiation procedures. 
Note also that the notion of a local extension is a semantic one, and that this 
property must be established separately for every considered extension. In our 
approach we define conditions on the theories ensuring that they can be safely 
combined. These conditions can be tested once and for all for each theory, and 
then any combination is allowed. The extensions we consider in this paper are 
not necessarily local thus do not fall under the scope of the method in [25] [26] . 
However, an important restriction of our approach compared to [251 126] is that 



the theories must be combined in a hierarchic way: intuitively there can be 
function symbols mapping elements of the first theory B (the "base" theory) to 
elements of the second one M (the "nesting" theory) , but no function symbols 
are allowed from M to B. 

Extensions of the superposition calculus [5] have been proposed to handle 
first-order extensions of a base theory (see for example [HH])- The superposi- 
tion calculus is used to reason on the generic part of the formulae whereas the 
theory-specific part is handled by an external prover. These proof procedures 
can be used to reason on some the formulas we consider in the present paper. 
However, we are not aware of any termination result for these approaches (even 
completeness requires additional restrictions that are not always satisfied in 
practice). Our approach uses an instantiation-based approach instead of super- 
position, and ensures that termination is preserved by the combination, at the 
cost of much stronger syntactic restrictions on the considered formulae. 

Organization of the Paper 

The rest of the paper is structured as follows. Section [2] contains general def- 
initions and notations used throughout the present work. Most of them are 
standard, but some are more particular, such as the notions of w-clauses or 
specifications. Section [3] describes our procedure for the nested combination of 
instantiation schemes, and introduces conditions to ensure that completeness 
is preserved. Section 0] shows some interesting applications of these results for 
theories that are particularly useful in the field of verification (especially for 
extensions of the theory of arrays) . Section [3] concludes the paper and gives 
some lines of future work. 

2 Preliminaries 

In this section, we first briefly review usual notions and notations about first- 
order clausal logic. Then we introduce the rather nonstandard notion of an 
u-clause (a clause with infinitely many literals). We define the notion of speci- 
fications and provide some examples showing how usual theories such as those 
for integers or arrays can be encoded. Finally we introduce the notion of in- 
stantiation methods. 

2.1 Syntax 

Let S be a set of sort symbols and J 7 be a set of function symbols together with a 
ranking function rnk : J- — > S* x S. For every / e J, we write / : Si X- • -xs n — > s 
if rnk(/) = si, . . . , s„, s. If n = then / is a constant symbol of sort s. We 
assume that J- contains at least one constant symbol of each sort. To every 
sort s G S is associated a countably infinite set X s of variables of sort s, such 
that these sets are pairwise disjoint. X = Uses ^ s denotes the whole set of 



variables. For every s G S, the set of terms of sort s is denoted by T S (A") and 
built inductively as usual on X and T: 

• X S CT B (X). 
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• If / : six. . .xs„ — >• s and for alii G [l,n],i, G T Si (X) then/(ii, . . . ,t n ) G 
Ts(A-). 

The set o/ terms is defined by T(X) = \J ses T S (X). 

An atom is an equality t ~ s between terms of the same sort. A literal is 
either an atom or the negation of an atom (written t yk s). If L is a literal, 
then L° denotes its complementary: (t ~ s) c = {t rjk s) and (t 9^ s) c = (4 ~ s). 
A clause is a finite set (written as a disjunction) of literals. We assume that S 
contains a sort bool and that T contains a constant symbol true of sort bool. 
For readability, atoms of the form p ~ true will be simply denoted by p (thus 
we write, e.g., a < 2 instead of (a < 2) ~ true). An atom is equational iff it is 
of the form t ~ s where t,S ^ true. 

The set of variables occurring in an expression (term, atom, literal or clause) 
£ is denoted by Var(£). £ is ground iff Var(£) = 0. The set of ground terms of 

sort s is denoted by T s and the set of ground terms by T = Uses Ts- 

A substitution is a function that maps every variable to a term of the same 
sort. The image of a variable x by a substitution a is denoted by xa. The 
domain of a substitution a is the selp dom(a) = {x G X | xa 7^ x}, and its 
codomain cod(a) is the set of elements the variables in the domain are mapped 
to. Substitutions are extended to terms, atoms, literals and clauses as usual: 
f(ti, . . . ,t n )a = /(tier, . . . ,t n a), (t ~ s)a = (to ~ sa), (->i)cr = ~^{La) and 
(Vj=i ^i) 17 = Vi=i ^i cr - A substitution a is ground if Vx G dom(a), Var(xcr) = 
0. A ground instance of an expression £ is an expression of the form £a, where 
cr is a ground substitution of domain Var(£). 

Definition 1. A substitution <r is pure iff for all x E X, xa £ X. In this case, 
for any term t, to is a pwre instance of i. A substitution cr is a renaming if it is 
pure and injective. 

A substitution cr is a unifier of a set of pairs {(U,Si) \ i G [l,w]} iff Vi G 
[l,n],iicr = SjtJ. It is well-known that all unifiable sets have a most general 
unifier (mgu), which is unique up to a renaming. 

2.2 Semantics 

An interpretation I is a function mapping: 

• Every sort symbol s G S to a nonempty set s 1 . 

• Every function symbol / : si x ... xs„ — > s G J 7 to a function / : 



for technical convenience we do not assume that dom(a) is finite. 



D 1 denotes the domain of /, i.e., the set Uses s/ - As usua lj the valuation 
function £ i-> [£]j maps every ground expression £ to a value defined as follows: 

. [f(t 1 ,...,t n )] I d ^f I ([t 1 } I ,...,[t n } I ), 

• [t ~ s]i = true iff [t]i = [s]i, 

• [t c£ s]i = true iff [t ~ s]i =/= true, 

• l\/i = i-Li]i = true iff 3i G [l,ft], [£«]/ = true. 

An J-"-intcrprctation / satisfies an ^-clause C if for every ground instance Ccr of 
C we have [Ccr]/ = true. A set of ^-clauses S is satisfied by / if / satisfies every 
clause in S. If this is the case, then / is a model of S and we write I \= S. A set 
of clauses S is satisfiable if it has a model; two sets of clauses are equisatisfiable 
if one is satisfiable exactly when the other is satisfiable. 

In the sequel, we restrict ourselves, w.l.o.g., to interpretations such that, for 
every s6S,s' = {[£]/ | t G T s }. 

2.3 w-Clauses 

For technical convenience, we extend the usual notion of a clause by allowing 
infinite disjunction of literals: 

Definition 2. An uj-clause is a possibly infinite set of literals. 

The notion of instance extends straightforwardly to cj-clauses: if C is an uj- 
clause then Ca denotes the w-clause {La \ L G C} (recall that the domain of 
a may be infinite). Similarly, the semantics of cj-clauscs is identical to that of 
standard clauses: if C is a ground w-clause, then [C]i = true iff there exists 
an L 6 C such that [L]i = true. If C is a non-ground oj-clausc, then I \= C 
iff for every ground substitution of domain Var(C), [Co - ]/ = true. The notions 
of satisfiability, models etc. are extended accordingly. If 5, S' are two sets of 
w-clauses, we write S < S' if for every clause C G 5" there exists a clause C G S 
such that C C C. 

Proposition 3. If S < S' then S' is a logical consequence of S. 

Of course, most of the usual properties of first-order logic such as semi- 
decidability or compactness fail if w-clauses are considered. For instance, if C 
stands for the w-clause {b ~ p(a) \ i G N} and Dj = {b ^ /•'(a)} for j G N, 
then 5 = {-Dj | j £ N} U {C} is unsatisfiable, although every finite subset of S 
is satisfiable. 

2.4 Specifications 

Usually, theories are defined by sets of axioms and are closed under logical 
consequence. In our setting, we will restrict either the class of interpretations 



(e.g., by fixing the interpretation of a sort int to the natural numbers) or 
the class of clause sets (e.g., by considering only clause sets belonging to some 
dccidablc fragments or containing certain axioms). This is why we introduce 
the (slightly unusual) notion of specifications, of which we provide examples in 
the following section: 

Definition 4. A specification A is a pair (X, <£), where I is a set of interpreta- 
tions and £ is a class of clause sets. A clause set S € € is A-satisfiable if there 
exists an / G I such that I \= S. S and S' are A-equisatisfiable if they are both 
A-satisfiablc or both A-unsatisfiable. We write S \= A S' iff every ,4-model of S 
is also an A- model of 5". 

For the sake of readability, if A is clear from the context, we will say that a 
set of clauses is satisfiable, instead of .A-satisfiable. We write (X, £) C (I' , <£') 
iff I = I' and CCC'. By a slight abuse of language, we say that C occurs in 
A if there exists S G £ such that C G S. 

In many cases, I is simply the set of all interpretations, which we denote by 
Xf i. But our results also apply to domain-specific instantiation schemes such 
as those for Presburger arithmetic. Of course, restricting the form of the clause 
sets in €. is necessary in many cases for defining instantiation schemes that are 
both terminating and refutationally complete. That is why we do not assume 
that €. contains every clause set. Note that axioms may be included in £. We 
shall simply assume that £ is closed under inclusion and ground instantiations, 
i.e., for all S G €. if S' C S and S" only contains ground instances of clauses in 
S, then 5", S" G €. All the classes of clause sets considered in this paper satisfy 
these requirements. 

We shall restrict ourselves to a particular class of specifications: those with 
a set of interpretations that can be defined by a set of w-clauses. 

Definition 5. A specification A = (I, £) is oj-definable iff there exists a (pos- 
sibly infinite) set of w-clauses Ax (I) such that I — {I \ I \= Ax(X)}. 

From now on, we assume that all the considered specifications are w-definablc. 

2.5 Examples 

Example 6. The specification of first-order logic is defined by Af Q \ = (Tf i,£f i) 
where: 

• 2f i is the set of all interpretations (i.e. Ax(Zf i) = 0). 

• £f i is the set of all clause sets on the considered signature. 

Example 7. The specification of Presburger arithmetic is defined as follows: 
Az = (2z,£ z ) where: 

• Ax(2z) contains the domain axiom: \/ k£N (x ~ s fe (0) Vi~ — s fe (0)) and 
the usual axioms for the function symbols : int, — : int — > int, s : 



int — > int, p : int — > int, + : int x int — > int, and for the predicate 
symbols ~^: int x int — > bool (for every A: £ N) <: int x int — > bool 
and <: int x int — \ bool: 

+ x ~ x s(x) + y — s(x + y) 

p(x) + y ~ p(x + y) p(s(x))~x 

s(p(x))~a; s fc (0)~ fe 

-0~0 -s(ic) ~ p(-cc) 

-p(x) ~ s(-£c) x i± k y V s k (x) ~ fc y 

x c£ k yV p k (x) ~ k y x < y ^ s(x) < s(y) 

x •£ yV X < s(y) x<y<^>(x<y\/x~y) 
x < s(x) 

~/c denotes equality modulo k (which will be used in Section |4. 1 . 1[) : x, y 
denote variables of sort int and k is any natural number. Note that the 
domain axiom is an infinite w-clause, while the other axioms can be viewed 
as standard clauses. 

• €z is the class of clause sets built on the set of function symbols : int, s : 
int — ¥ int,p : int — > int and on the previous set of predicate symbols. 

In the sequel, the terms s fc (0) and p k (0) will be written k and — k respectively. 
Example 8. The specification of arrays is A& = (Xa, Ca) where: 

• Ax(Za) = {select (store (a:, z, v), z) ~ v, z' ~ zV select(store(x, z, v), z') ~ 
select(:r, 2')}, where select : array x ind — > elem and store : array x ind x 
elem — > array (x is a variable of sort array, z, z' are variables of sort ind 
and v is a variable of sort elem). 

• £a is the class of ground clause sets built on select, store and a set of 
constant symbols. 

It should be noted that reals can be also handled by using any axiomatization 
of real closed fields. 

2.6 Instantiation Procedures 

An instantiation procedure is a function that reduces the ^-satisfiability prob- 
lem for any set of .4-clauses to that of a (possibly infinite) set of ground A- 
clauses. 

Definition 9. Let A = (I, £) be a specification. An instantiation procedure 
for A is a function from £ to £ such that for every S £ £, Q(S) is a set of 
ground instances of clauses in S. is complete for A if for every S £ £, S and 
Q(S) are „4-equisatisfiable. It is terminating if Q(S) is finite for every S £ CO 



If 9 is complete and terminating, and if there exists a decision procedure 
for checking whether a ground (finite) clause set is satisfiable in I, then the A- 
satisfiability problem is clearly decidable. Several examples of complete instan- 
tiation procedures are available in the literature [21 |T71 151 H5 1 135 ) HI 171 H5 1 H2] . 
Our goal in this paper is to provide a general mechanism for constructing new 
complete instantiation procedures by combining existing ones. 

3 Nested Combination of Specifications 

3.1 Definition 

Theories are usually combined by considering their (in general disjoint) union. 
Decision procedures for disjoint theories can be combined (under certain con- 
ditions) by different methods, including the Nelson-Oppen method [27 : or its 
refinements. In this section we consider a different way of combining specifica- 
tions. The idea is to combine them in a "hierarchic" way, i.e., by considering 
the formulae of the first specification as constraints on the formulae of the second 
one. 

For instance, if Az is the specification of Presburger arithmetic and A& is 
the specification of arrays, then: 

• 0<i<nisa formula of A% (x denotes a variable and n denotes a 
constant symbol of sort int). 

• select (t, x) ~ a is a formula of Aa (stating that t is a constant array). 



• 



< x < n =$■ select(t, x) ~ a (stating that t is a constant on the interval 
[0, n]) is a formula obtained by combining A% and ^4a hierarchically. 



Such a combination cannot be viewed as a union of disjoint specifications, 
since the axioms contain function symbols from both specifications. In this 
example, Az is a base specification and Aa is a nesting specification. 

More formally, we assume that the set of sorts S is divided into two disjoint 
sets Sb and Sat such that for every function / : si x . . . x s„ -> s, if s 6 Sg, 
then 8i,...,s n € Sfl. A term is a base term if it is of a sort s E Sb and a 
nesting term if it is of a sort s £ Sat and contains no non-variable base term. 
In the sequel we let Xb = Uses ^ (resp. Afjy = Uses %>) ^ e * ne se * °f base 
variables (resp. nesting variables) and let Tb (resp. J-jq) be the set of function 
symbols whose co-domain is in Sb (resp. Sat). An SB-ground instance of an 
expression £ is an expression of the form £o~ where a is a ground substitution of 
domain Var(£ ) n Xb- Intuitively, an Ss-ground instance of £ is obtained from 
£ by replacing every variable of a sort s £ Sb (and only these variables) by a 
ground term of the same sort. 

Definition 10. H,b denotes the set of w-clauses C such that every term occur- 
ring in C is a base term. VLm denotes the set of w-clauses C such that: 

1. Every non- variable term occurring in C is a nesting term. 



2. For every atom t ~ s occurring in C, t and s are nesting terms. 

Notice that it follows from the definition that tts fl fijy = 0, since Sb and 
Sat are disjoint. 

Definition 11. A specification (I, (£) is a frase specification if Ax(Z) C $7 B and 
for every S £ £, S C J7 B . It is a nesting specification if Ax(I) C f2 w and for 
every S £ <£, S C fijv. 

Throughout this section, /3 = (Ib, <£b) will denote a base specification and 
J\f = (Zn,£n) denotes a nesting specification. Base and nesting specifications 
are combined as follows: 

Definition 12. The hierarchic expansion of J\f over B is the specification 
M[B] = (X, £) defined as follows: 

1. Ax(X) = Ax(I B ) U Ax(I w ). 

2. Every clause set in £ is of the form {C B V Cf | i £ [l..n]}, where {Cf | 

ie [i..n]} e€ B and {Cf |»e [i..n]}e€ N . 

If C is a clause in £, then C B is the frase pari of the clause and C N is its 
nesting part. If S is a set of clauses in £, then 5 s and S respectively denote 
the sets {C B \ C £ S} and {C N \ C £ S}, and are respectively called the base 
part and nesting part of S. 

The following proposition shows that the decomposition in Condition [2] is 
unique. 

Proposition 13. For every clause C occurring in a clause set in <£, there exist 
two unique clauses C B and C N such that C — C B V C N . 

Proof. The existence of two clauses C B , C N is a direct consequence of Con- 
dition [2] in Definition Q21 Uniqueness follows straightforwardly from Definition 

EJ ■ 

Example 14. Consider the following clauses: 

ci {x ^ a V select(i, x) ~ 1} (t is constant on [a, oo[) 

C2 {x^a\/x^.b\/ select(£, a;) ~ select(t', x)} (t and t' coincide on [a, b]) 

C3 {select(£, i) ~ select(i', i + 1)} (i and t' coincide up to a shift) 

C4 {i^i/V select(t, a;) < select(£, y)} (t is sorted) 

C5 {select (t, x) < a;} (£ is lower than the identity) 

Clauses ci and C2 occur in „4a[/4.z], and for instance, cf = (select(£, x) ~ 1) 
and cf = (x ^ a). Clause C3 docs not occur in .Aa[.Az] because the atom 
select (i', i + 1) of the nesting specification contains the non- variable term i + 1 
of the base specification. However, C3 can be equivalently written as follows: 

c' 3 {j gk i + 1 V select^, i) ~ select (i', j)} 
10 



and c' 3 is in «4a[-4z]5 Clause C4 does not occur in _4a[-4z], because select(t,x) < 
select(t',a;) contains symbols from both A% (namely <) and .4a (select) which 
contradicts Condition 121 of Definition [T21 However, C4 can be handled in this set- 
ting by considering a copy A' z of Ai (with disjoint sorts and function symbols). 
In this case, C4 belongs to (,4a U A' z )[Az], where A& U A' z denotes the union 
of the specifications Aa and A' z . Of course A' z can be replaced by any other 
specification containing an ordering predicate symbol. The same transformation 
cannot be used on the clause C5, since (because of the literal select(£, x) < x) the 
sort of the indices cannot be separated from that of the elements. Again, this is 
not surprising because, as shown in [6], such axioms (in which index variables 
occur out of the scope of a select) easily make the theory undecidable. 

Since S^ and Sjv are disjoint, the boolean sort cannot occur both in S^ and 
Sjv- However, this problem can easily be overcome by considering two copies of 
this sort (bool and bool'). 

3.2 Nested Combination of Instantiation Schemes 

The goal of this section is to investigate how instantiation schemes for B and 
M can be combined in order to obtain an instantiation scheme for J\f[B\. For 
instance, given two instantiation schemes for integers and arrays respectively, 
we want to automatically derive an instantiation scheme handling mixed axioms 
such as those in Example 1141 We begin by imposing conditions on the schemes 
under consideration. 

3.2.1 Conditions on the Nesting Specification 

First, we investigate what conditions can be imposed on the instantiation pro- 
cedure for the nesting specification J\l '. What is needed is not an instantiation 
procedure that is complete for A/"; indeed, since by definition every term of a 
sort in Sb occurring in €n is a variable, such an instantiation would normally 
replace every such variable by an arbitrary ground term (a constant, for exam- 
ple) . This is not satisfactory because in the current setting, the value of these 
variables can be constrained by the base part of the clause. This is why we shall 
assume that the considered procedure is complete for every clause set that is 
obtained from clauses in C^v by grounding the variables in Xb, no matter the 
grounding instantiation. 

Definition 15. An Ss-mapping is a function a from Tb to T^. Such a map- 
ping is extended straightforwardly into a function from expressions to expres- 
sions: for every expression (term, atom, literal, clause or set of clauses) £ , a{£ ) 
denotes the expression obtained from £ by replacing every term t G Tb occur- 
ring in £ by a(t). 



2 However as we shall see in Section U our method cannot handle such axioms, except in 
some very particular cases. In fact, adding axioms relating two consecutive elements of an 
array easily yields undecidable specifications (as shown in [6]). 
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An instantiation procedure is SB-invariant iff for every Ss-mapping a, 
and every clause G in a set S, C G 0(5*) =>■ a(C) G 0(a(5)). 

We may now define nesting- complete instantiation procedures. Intuitively, 
such a procedure must be complete on those sets in which the only terms of a 
sort in S^ that occur are ground, the instances cannot depend on the names 
of the terms in T# and the addition of information cannot make the procedure 
less instantiate a clause set. 

Definition 16. An instantiation procedure O is nesting- complete if the follow- 
ing conditions hold: 

1. For all sets 5 G Cat and all sets 5' such that every clause in 5' is an 
Ss-ground instance of a clause in 5, S' and 8(5") are ^l-equisatisfiable. 

2. is Sb -invariant. 

3. is monotonia 5' C 5 ^ 0(5') C 0(5). 



3.2.2 Conditions on the Base Specification 

Second, we impose conditions on the instantiation procedure for the base spec- 
ification B. We need the following definitions: 

Definition 17. Let S be a set of clauses and let G be a set of terms. We 
denote by S\_g the set of clauses of the form Co~, where G G 5 and a maps every 
variable in G to a term of the same sort in G. 

Proposition 18. Let 5 be a set of clauses and let G and G' be two sets of 
ground terms. If G C G" then S±g Q &IG' ■ 

Definition 19. If 5 is a set of clauses, we denote by 5y the set of clauses of 
the form Vj=i n Ci&i such that for every i G [1,^], C t G 5 and <7; is a pure 
substitution. 

Example 20. Let 5 = {p(x,y)}. Then 5y contains among others the clauses 
p(x,x),p(x,y), p(x,y) V p(z,u), p(x,y) Vp(y,x), p(x,y) V p{y,z)\J p(z,u), etc. 

Definition 21. An instantiation procedure for B is base-complete iff the 
following conditions hold: 

1. For every 5 G £b there exists a finite set of terms G$ such that 0(5) = 
54_g s and 0(5) and 5 are 6-equisatisfiable. 

2. If 5 C 5' then G s C G s >. 

3. For every clause set 5 G £, G^j C Gs- 

Obviously these conditions are much stronger than those of Definition 1161 
Informally, Definition [21] states that: 
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1. All variables must be instantiated in a uniforn|f| way by ground terms, 
and satisfiability must be preserved. 

2. The instantiation procedure is monotonic. 

3. The considered set of ground terms does not change when new clauses are 
added to S, provided that these clauses are obtained from clauses already 
occurring in S by disjunction and pure instantiation only. 

3.2.3 Definition of the Combined Instantiation Scheme 

We now define an instantiation procedure for J\f[B]. Intuitively this procedure 
is defined as follows. 

1. First, the nesting part of each clause in S is extracted and all base variables 
are instantiated by arbitrary constant symbols • (one for each base sort). 

2. The instantiation procedure for J\f is applied on the resulting clause set. 
This instantiates all nesting variables (but not the base variables, since 
they have already been instantiated at Step 1). 

3. All the substitutions on nesting variables from Step 2 are applied to the 

initial set of clauses. 

4. Assuming the instantiation procedure for B is base-complete, if this pro- 
cedure was applied to the base part of the clauses, then by Condition [T] of 
Definition [21] the base variables in the base part of the clauses would be 
uniformly instantiated by some set of terms G. All base variables and all 
occurrences of constants • are replaced by all possible terms in G. 

Example 22. Assume that B — Az, N = Ato\ and that T contains the follow- 
ing symbols: a : int, b : int, c : s and p : int x s — > bool. Consider the set 
S = {x ^ a V p(x, y),u ^ b V ->p(u, c)}. 

1. We compute the set S — {p(x, y), ~^p(u, c)} and replace every base vari- 
able by •. This yields the set: {p{», y), ->p(»,c)}. 

2. We apply an instantiation procedure for .AfciS Obviously, this procedure 
should instantiate the variable y by c, yielding {p(», c), _i p(», c)}. 

3. We apply the (unique in our case) substitution y^cto the initial clauses: 
{x ^ a\Jp{x, c),u ^ &V-ip(w, c)}. Note that at this point all the remaining 
variables are in Xq. 

4. We compute the set of clauses S B = {x ■£ a,u •£ b} and the set of terms 
Gqb . It should be intuitively cleaip that x must be instantiated by a and 
u by b, yielding GgB = {a, b}. 



3 Of course sort constraints must be taken into account. 

4 There exist several instantiation procedures for »4f i, one such example is given in Section 

mm 

5 A formal definition of an instantiation procedure for this fragment of Presburger arithmetic 
will be given in Section l4.1.1l 
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5. We thus replace all base variables by every term in {a, b} yielding the set 
{a j£ a V p(a, c),b $£ a V p(b 7 c),a ^ & V -<p(a, c), 6 ^ b V ->p(&, c)}, i.e., 
after simplification, {p(a, c), 6 ^ a V p(&, c), a ^ 6 V _i p(a, c), ->p(&, c)}. It 
is straightforward to check that this set of clauses is unsatisfiable. Any 
SMT-solver capable of handling arithmetic and propositional logic can be 
employed to test the satisfiability of this set. 

The formal definition of the procedure is given below. Let 7* be a substitu- 
tion mapping every variable of a sort s G S^ to an arbitrary constant symbol 
• s of sort s. 

Definition 23. Let ®b be a base-complete instantiation procedure and Qn be 
a nesting-complete instantiation procedure. 8jv[0.b](>S') is defined as the set of 
clauses of the form (C B V C N )9'a where: 

• C <ES. 

• c n yo e e N (s N r)- 

• 9' is obtained from 9 by replacing every occurrence of a constant symbol 
• s in the co-domain of 9 by a fresh variable of the same sort. 

• a maps every variable in CO' to a term of the same sort in Gqb . 

The following proposition is straightforward to prove and states the sound- 
ness of this procedure: 

Proposition 24. Let Qb be a base-complete instantiation procedure and let Qn 
be a nesting- complete instantiation procedure. For every set of clauses S € (£, 
0A r [0s](S') is a set of ground instances of clauses in S. Thus if Qn[®b}(S) is 
J\f[B]-unsatisfiable, then so is S. 

Several examples of concrete instantiation procedures satisfying the condi- 
tions of Definitions [T5] and [5l] are provided in Section SJ 

3.3 Completeness 

The remainder of this section is devoted to the proof of the main result of this 
paper, namely that the procedure O2 [0i] is complete for Af[B]: 

Theorem 25. Let &b be a base-complete instantiation procedure (for B) and 
let On be a nesting- complete instantiation procedure (for M). Then 0jv [Qb] is 
complete for J\f[B]; furthermore, this procedure is monotonic and Sb -invariant. 

The rest of the section (up to Page [21]) can be skipped entirely by readers 
not interested in the more theoretical aspects of the work. The proof of this 
theorem relies on a few intermediate results that are developed in what follows. 
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3.3.1 Substitution Decomposition 

Definition 26. A substitution a is a base substitution iff dom(a) C A^. It is 
a nesting substitution iff dom{a) C AV and for every x G dom(a), xa contains 
no non- variable base term. 

We show that every ground substitution can be decomposed into two parts: 
a nesting substitution and a base substitution. We begin by an example: 

Example 27. Assume that B = Az, A/" = Af i and that T contains the fol- 
lowing symbols: / : s x int — > s, c : s. Consider the ground substitution 
a = {x i-> /(c, s(0)),y n> /(/(c, 0),0),n i-4 s(0)}. Wc can extract from er a 
nesting substitution by replacing all subterm-maximal base terms by variables, 
thus obtaining a^ = {x n> f(c,n),y M> /(/(c, m),m)}, and then construct the 
base substitution ob — {n4 s(0), to n> 0} such that er = a^as- Note that a at 
is not ground and that dom^as) % dom(a). 

The following result generalizes this construction: 

Proposition 28. Every ground substitution a can be decomposed into a product 
o~ = {vNVB^domitj) w ^ ere °~N is a nesting substitution, as is a base substitution, 
and for all x E dom(o~B) \ dom{a), 

• Vy G dom(<JB) n dom(a), xub ^ yo~B, 



• 



Vy G dom(o~B) \ dom(a), yo~ = xa => x = y. 



Proof. Let E be the set of subterm-maximal base terms occurring in terms 
of the form xa, with x G dom(a). Let v be a (partial) function mapping every 
term t G E l~l cod(a) to an arbitrarily chosen variable v(t) such that i/(i)cr = t. 
This function ^ is extended into a total function on E by mapping all terms t 
for which v(t) is undefined to pairwise distinct new variables, not occurring in 
dom{a). Note that v is injective by construction. The substitutions as and <7/v 
are defined as follows: 

• dom(a]\[) = dom(a) (~l Ajv and cco/v is the term obtained by replacing every 
occurrence of a term t E E in xa by f(t); 

• dom(aB) = [rfom(cr) fl Afg] U ^(-E 1 ); if x = v(t) for some term t E E, then 
xctb = t; otherwise, xas == £0\ Note that cs is well-defined, since by 
definition if v{t) — v{s) then t = s. 

By construction, erjv is a nesting substitution and er^ is a base substitution. 
Furthermore, since v(t)aB = £, x&n&b — xa for every a; G dom(a) n Ajv- 
Similarly, for every a; G dom(a) n As, xa^as = £Cb = .xcr and therefore 
c = ( (J A rCr B)l<iom('cry Let x ^ dom(as) \ dom(a). By definition of <7b, £ is 
of the form ;/(£) for some t E E, and there is no variable y E dom(a) such 
that ya — t, since otherwise v(t) would have been defined as y. Thus Vy G 
dom{pB) H dom(a),xaB j^ yo~ = y^B- Now if y G dom(aB) \ dom(a) and 
£0\b = yes, then y is also of the form v{s) for some s E E and we have xas = t 
and yas — s, hence t = s and x = y. ■ 
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3.3.2 Partial Evaluations 

Given a set of clauses S in N[B\ and an interpretation / of B, we consider a 
set of clauses S" of A/" by selecting those ground instances of clauses in S whose 
base part evaluates to false in / and adding their nesting part to S'. More 
formally: 

Definition 29. For every clause C G £b and for every interpretation / G 1b, 
we denote by $/(C) the set of ground substitutions rj of domain Var(C) such 
that / ^ Crj. Then, for every S G £ we define: 

Example 30. Let S = {x "~f± a V P(x), y < 2 V Q(y, z)} be a set of clauses in 
«4foi[./4z], where x, y, a are of sort int and z is a variable of a sort distinct from 
int. Let / be the interpretation of natural numbers such that a 1 — 1. Then 
$j(ir qk a) = {x (->• 1} and $i(y < 2) = {y >->• k \ k G N, k > 2}. Therefore 
S\i = {P(l)} U {Q(fc, z) I fc G N, fc > 2}. 

The following lemma shows that S\i is A/"-unsatisfiable when S is A/"[S]- 
unsatisfiable. 

Lemma 31. For every J\f[B\-unsatisfi,able set of clauses S G £ and /or every 
I G Is, iS|j is N -unsatisfiable. 

PROOF. Let J\f[B] = (I, C). Assume that S\i is A/"-satisfiable, i.e. that there 
exists an interpretation J G In validating S\i. W.l.o.g. we assume that the 
domain of J is disjoint from that of /. We construct an interpretation K G I 
satisfying S, which will yield a contradiction since S is A/"[£>]-unsatisfiable by 
hypothesis. 

For all sort symbols s G S^ and for all e G s 1 , we denote by 7(e) an 
arbitrarily chosen ground term in T# such that [7(e)]/ = qj- If £ is a ground 
expression, we denote by £J, 7 the expression obtained from E by replacing every 
term t by j{[t)i); by construction [£]j = [£| 7 ]j. Let ip : D 1 l±) D J ->■ D J be the 
function defined for every element e G D 1 U Z? J as follows: 

• if e G s then t/j(e) = [7(e)] j; 

• otherwise ip{e) = e. 

We define the interpretation A' by combining / and J as follows: 

• K coincides with / on S^ and on every function symbol whose co-domain 
is in Sb- 



• K coincides with J on S 



JV- 



6 7(e) always exists since we restricted ourselves to interpretations such that, for every 
s e S, s 1 = {[*]/ I t S T s }. 
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• For all function symbols / G Fn of arity n, f (ei, . . . , e n ) = 
f J (ip(ei), . . . , ip(e n )). Note that f K is well-defined since by definition 
of ip, if e € s A then V'(e) G s J . 

Let f be a ground expression (term, atom, literal, clause or w-clause) such 
that £4-7= £■ Assume that £ is a ground instance of an expression occurring in 
a clause in fijv. We prove by structural induction on £ that [£]j = iP([£]k)- 

• If £ is a term of a sort in Sb then since I and K coincide on S# U Tb, 
we have [£\k = [£]/■ By hypothesis £ 4- 7 = £, thus 7 ([£]/) = £ and by 
definition of ^, ^([2]*) = </>([£]/) = W)]j = [«]j- 

• If £ is of the form f(ti, . . . ,t n ) where / G J-n, then by definition [£]j = 
f J ([ti]j, ..., [t„]j) and by the induction hypothesis, [U]j = ip([ti] K ) for 
i G [l,n]. Again by definition, [£} K = f J (il}{[ti] K ), . . . ,il>{[t n ] K )) = 
f J {[ti] J, ■ ■ ■ , [tn]j) — [£]j- Thus, since the domains of I and J are disjoint, 
[£} j $ S B , hence ^([£}j) = [£} j. 

• If £ is an atom of the form t\ ~ £2 then t\,t<i $■ Sb- Indeed £ occurs in 
a ground instance of a clause C occurring in Q jy and by Definition 1101 
such clauses cannot contain equalities between base terms. Thus we have 
ip{{ti]K) = [ti\K (for i = 1,2) and the proof is straightforward. 

• The proof is immediate if £ is a literal or a (possibly infinite) disjunction 
of literals. 

Since J |= 5|/ and all specifications are assumed to be w-definable (see 
Definition [5]), we deduce that K \= S\i U Ax(2jv). Indeed, for the sake of 
contradiction, assume that there exists an w-clause C G S\i U Ax(Zjv) and a 
ground substitution 9 of domain Var(C) such that K |£ CO. Since K |= t ~ iJ-7 
for every term i, necessarily if ^= CO' where x0' = X04-7- But then CO'^— CO' 
and since [£}j = %/j([£]k), we conclude that J ^ C0' which is impossible since 
by hypothesis J is an A/"-model of S\j. 

We now prove that K \= S. Let C G S and 77 be a ground substitution 
of domain Var(C). W.l.o.g. we assume that Vx G Var(C), xi]lj= xrj. Let t\b 
(resp. tin) be the restriction of r\ to the variables of a sort in Sb (resp. in Sat). 
If i |= C b t]b then K (= C B r\B because if and 7 coincide on S# U J-b, and 
consequently K (= C77 (since C77 D C B r\ B )- \i I \j= C B r\ B then ?/ B G $/(C), 
hence C n t]b G S|j. Again if (= C?7b hence if |= CV;; therefore if |= S 1 . 

Finally, since if coincides with I on Sb U Tb we have if |= Ax(Ig)- This 
proves that if is an 7V[S]-model of S, which is impossible. ■ 

3.3.3 Abstraction of Base Terms 

Lemma [31] relates the A/"[yB]-unsatisfiability of a set of clauses S to the M- 
unsatisfiability of sets of the form S\i. By definition, S\i is of the form S'cr, for 
some clause set S' G C_/v and for some ground base substitution a. However, 
since neither Ax(Zjv) nor £/v contains symbols of a sort in Sb, the interpretation 
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of the ground base terms of 5" in an interpretation of Ijy is arbitrary: changing 
the values of these terms does not affect the A/"-satisfiability of the formula. Thus 
the actual concrete values of the ground base terms does not matter: what is 
important is only how these terms compare to each other. 

Example 32. Assume that Af — Af \, P ■ int x s — > bool, a : s, and let 
S = {p(x, z),->p(y, a)}. Consider a : {x i-> 0, y n> 0}, clearly, Sa \=^ D. But 
also S{x h-> s(0), y m- s(0)} ^ M □ and more generally S{x *->t,y H- <} ^= M □. 
On the other hand, 5{x H> 0, y H> s(0)} ^^ D and more generally S{x h-> 
t,y ^ t'} ^ D if i, £' are distinct integers. 

Therefore, if Sa ^^ Cc for some base substitution a then actually 
SO ^= CO, for every substitution such that xO — yO <^> x<r = ytr. This 
will be formalized in the following definitions and lemma. We first introduce an 
unusual notion of semantic entailment. The intuition is that variables in S^ arc 
considered as "rigid" variables that must be instantiated by arbitrary ground 
terms: 

Definition 33. Let S G Cat. We write S \= r C iff for every ground substitution 
of domain X B , Sa ^ Ca. 

Example 34. Assume that N = Af h Let a : s, p : int x s — > bool and 
q : int — > bool, where int £ S#, s £ Sat. Let 5* = {p(x,y),-ip(u,a) V q(u)}, 
where x, y, u are variables. Then S \= r q(x), but S \/^ r q(0). Note that x denotes 
the same variable in S and q{x) (the variables are not renamed). 

Definition 35. For every substitution a we denote by (a) an arbitrarily chosen 
pure substitution such that xa — ya => x(a) = y(a), for every x, y £ X . () 

Note that such a substitution always exists. The next lemma can be viewed 
as a generalization lemma: it shows that the values of the ground base terms 
can be abstracted into variables. 

Lemma 36. Let S £ £jv and a be a base substitution such that dom{a) C Xb- 
IfSa h^ Ca then S(a) \= r C(a). 

Proof. Let be a substitution of domain Xb- We assume that there exists an 
/ £ In such that / |= S(a)0 and I \/= C(a)0, and we show that a contradiction 
can be derived. 

For every ground term t, we denote by T(t) the ground term obtained from 
t by replacing every ground subterm of the form xa by x{a)0. T is well-defined: 
indeed, if xa — ya, then by definition of (a), x{a) = y(a) thus x(a)0 — y{a)0. 
Let J be the interpretation defined as followo 

• If s £ S B then s J = T s . 

• If / is a symbol of rank si x...xs„4s where si, . . . , s n , s eS^ then 
/ (ii, ■ ■ ■ ,t n ) = f(h, ■ ■ ■ ,t n ). 



intuitively, J interprets every base term as itself and coincides with I on nesting terms. 
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• If / is a symbol of rank si x ... x s„ — > s where s G" S^ then 
f J (t ll ...,t n ) = / / (t' 1 ,...,4) where for every i G [l,n], s, : G Sjv =*• 
^ = [t 4 ]j and s s ; £S B 4- t' t = [r(ti)]i. 

By construction, [s] j = 5 for every ground base term s; we prove that for every 
ground nesting term t, [t]j — [T(t)]i, by induction on t. If t = /(ti, ■ • ■ ,£«); 
then [£],/ = / 7 (ti, . . . ,t' n ) where for every i G [l,n], Sj G Sat => tj- = [ij]j and 
Si eSfli- tj- = [r(ti)]j. By the induction hypothesis, Sj G S/v =>■ ^ = [T(tj)]j. 
Thus [t], 7 = /'([Tfa)],, . . . , \T(t n )]i) = [Tit)}!. 

Now let a' be a ground substitution with a domain in Xn, and let 0' = To a' ' . 
We prove that for every expression £ occurring in S U {C} that is not a base 
term, [£aa']j = [£(o-)00'] 7 . 

• Assume that £ is a variable a; in Xn- Then [£aa']j = [xa']j, and by the 
previous relation we get [£aa']j = [T(xa')]i = [x6']j = [£(a)66']j. 

• Assume that £ is a nesting term of the form f(ti, . . . ,t n ). Then 
by the result above, [£aa']j = \T(£o~o~')]i. By definition of V 
we have r(£a<r') = f(T(tiaa'), . . . ,T{t n ao-')), therefore, [£aa']j — 
f 1 ({T(ti<j<T r )]i, . . . , [T(t n aa')]i). For i £ [l,n], if U is a nesting term then 
by the result above [F(tiacr')]i = [tiaa']j and by the induction hypothesis, 
[T(ticr<j')]i = [ti(a)98']j. Otherwise, U is a base term, and must neces- 
sarily be a variable, thus T(ti<r) = ti(cr)6. Therefore T(tiaa') = r(tj<r) = 
ti(a)0 = t t (a)99'. Therefore [£aa']j = f 1 ([ti(a)66']i, . . . ,[t n (a)60']i) = 
\e{<r)0ff]i. 

• The proof is similar if £ is of the form t ~ s, t ^ s of V"=i '*• 

We thus conclude that for every clause D e SU {C} U Ax(I), J |= Da a' iff 
7 |= D{a)06'. Since 7 |= S(cr)0 U Ax(Jjv), we deduce that J \= SaU Ax(l N ), 
which proves that J G In- Since 7 ^= C(a)6 we have J |£ Cer, which is 
impossible because J G In and Sc |= Ccr. ■ 

3.3.4 Completeness of Qb for w-Clauses 

In this section, we prove that any procedure that is base-complete is also com- 
plete for some classes of sets of possibly infinite cj-clauses - this is of course not 
the case in general. We first notice that the notation S* of Definition IT91 can be 
extended to w-clauses, by allowing infinite disjunctions: 

Definition 37. Given a set of clauses, S, we denote by S$ the set of w-clauses 
of the form {CiC | i € N, Ci G S, o~% is a pure substitution}. 

The notation S^g also extends to w-clauses: S^g is the set of clauses Co~ such 
that C G S and a maps every variable in C to a term in G. 

Proposition 38. Let S be a finite set of clauses and G be a finite set of terms. 
Then S" , G is a finite set of clauses. 
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Proof. By definition, any literal occurring in S" is of the form La where L is a 
literal occurring in a clause C € S and a is a pure substitution. Thus any literal 
occurring in S",q is of the form Lo~9 where L is literal occurring in a clause in 
S, a is pure and 6 maps every variable to a term in G. Obviously, since G and 
S are finite, there are finitely many literals of this form. Hence all the w-clauses 
in 5 1 " , G are actually finite, and there are only finitely many possible clauses. ■ 



Lemma 39. Let S be a set of clauses and S' a set of ui- clauses with S' C S". 
If G if a finite set of terms, then there exists a set of clauses S" <! S' such that 

S"lG = S'lG- 



Proof. Let C be a clause in S'ig; by Proposition |3"5I C is finite. By definition 
there exists an w-clause C G S' such that C = CO, where 8 is a substitution 
mapping all the variables in Var(C') to a term in G. Every literal in C" is of 
the form Lj, where literal L occurs in S and 7 is a pure substitution of Var(L). 
Since S and G are finite, there is a finite number of possible pairs (L, j8). Thus 
there exists a finite subset Dc C C" such that for every literal L7 occurring in 
C", there exists a literal L7' G Dc with 7$ = j'6. 

Every variable occurring in a literal L7 of C" is of the form #7, where x G 
Var(L). Let r]c be the substitution mapping every variable 27 G Var(C" \ Dc) 
to ary'. Then for every literal Lj 6 C", we have Ljtjc — Lrf G Dc- Thus 
C^p = -Dc; furthermore, r\c is pure and Dcr\c — Dc- 

We define S" = {D c \ C G S' iG }\ obviously S" < 5' and by definition 
5"'iG 2 5"|G- Conversely, let £ be a clause in S'\g, E is necessarily of the 
form Dc^ where G G S"j.g and 6 maps every variable to a term in G. But then 
E is of the form C'rjcO, where C" G 5", and rjcO is a substitution mapping every 
variable in C" to a term in G; thus E must occur in S'ig- ■ 

The next lemma proves the completeness result for cj-clauses: 

Lemma 40. Let O be a base- complete instantiation procedure and S be a set 
of clauses. If S' C S" then S' and S'^Gs are B-equisatisfiable. 

Note that the clauses in S are finite, but those in S' may be infinite. 

Proof. S'ig s 1S a logical consequence of S", thus if S' is satisfiable then so 
is S' iG s ! we now prove the converse. Let I be an interpretation validating 
S'iGs- By Lemma I3TJ1 there exists a set of clauses S" such that S" < S' and 
S'lGs — S"lG s - Since / \= S"j.g S j we deduce that S'\g s i s satisfiable, hence 
(since by Condition Q] in Definition I2TI 6 is completc0) so is S". But S" < S' 
therefore by Proposition O S' is satisfiable. ■ 

3.3.5 Main Proof 

We are now in the position to give the proof of the main theorem. 



8 Recall that S" is a set of finite clauses. 
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Proof (of Theorem 125)) . Let 9 = 9 at [0b] and let 5 be an unsatisfiable 
clause set in <£. We prove that 0(5) is also unsatisfiable. 

Let I £ 1 B , by Lemma [32 the set 5|/ = {C*^ | C € 5,?? G */(C)} is 
A/"-unsatisfiable, and by completeness of ©at, so is 0jv(5|/). We define 

Ai = \Crfi\ Ce 5, C^V e 0at(5|/)}. 

This set may be infinite, since no assumption was made on the decidability of 
A/". Every clause in Ai is of the form Cr]9 where / Y= C B rj[3 and by Proposition 
1281 Ci]8 — Cera' , where a is a nesting substitution and a' is a base substitution. 
In particular, since dom(a) C Xm, C B aa' = C B a' and / ^= C B u' . 

By construction, the set {C N aa' \ (C N V C B )aa' £ At} is W-unsatisfiable. 
Thus for every model J of Aj, there exists a clause (C N V C B )aa' £ Aj such 
that J ^ C N aa', hence J f= C'W (since J |= Aj we have J |= (C w VC 5 )^')- 
Since the C B cannot contain nesting variables, we have C B aa' — C B a' . Hence 
Ai Ha/- Mcaa'eA! C ' B(J '- Wc lct T = S B and define: 



(Ca(a f ) I Cera 1 £ A/} and Ej = \f C B (a'). 



Bt 1 ■ 1 

Caa'eAj 



Note that since A/ may be infinite, £7 is an w-clause that belongs to T" . 
Lemma |3S] guarantees that Bi \= r Ej; thus by definition, for all sets of ground 
base terms G, Bj^ G (=v Ej^ G . This is in particular the case for G = Gt- 

Let U — {Ei 1 1 £ 1b}', by construction, for all I £ 1b, I \/= U; hence {/ is B- 
unsatisfiable and since U C Ty, by Lemma HOI !7j.g t is also B-unsatisfiable. 
We have shown that Bji G \=tf Ej^q. This, together with the fact that 
UiG T = U/ e zB E nc T permits to deduce that \Ji e i B B HG T HaA U iGT . Since 
Ui Gt is B-unsatisfiable (hence also Af[B] -unsatisfiable), U/ei B Bl iG T ^ a N[&]- 
unsatisfiable. 

There remains to prove that U/ex B B HGt — ®(5) to obtain the result. 
Consider the function a that maps every term of a sort s £ Sb to » s ; it is 
clear that a(S\i) C S N j'. In particular, if C N aa' £ Qj i /(S\i), then by the 
S^-invariance and monotonicity of ©aa, 

C N a(a'} 1 ' = a(C B aa') £ 0^(^(5)/)) C ©at(5V)- 

Therefore, (Cct(ct')) , Gt C 0(5), hence the result. 

The fact that ©at [0b] is S^-invariant and monotonic follows immediately 
from the definition and from the fact that ©at is Ss-invariant and that Ob and 
©at are monotonic. ■ 



4 Applications 

In this section, we show some examples of applications of Theorem [25] that are 
particularly relevant in the context of program verification. 



'Recall that C t] = C f]0, since rj is a ground base substitution 
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4.1 Examples of Base-Complete Specifications 

4.1.1 Presburger Arithmetic 

No base-complete instantiation procedure can be defined for the specification 
Az as defined in Section 12751 as evidenced by the following example. 

Example 41. Assume that a base-complete procedure 9 exists, and consider 
the clause set S = {x gk y + l,y gk 0}. Since is base-complete by hypothesis, 
by Condition [T] of Definition [21] 0(5) = S±Gs f° r some finite set of ground 
terms Gs, and by Condition[3J Gs contains Gs* ■ But 5^ contains in particular 
the clause: G„ : V"=i Xi ^ x *-i + 1 V x 9^ 0. C„ is obviously .Az-unsatisfiablc, 
but the only instance of C n that is .Az-unsatisflable is: C n {xi »->■ i \ i £ [0, n]}. 
Consequently {i \ i £ [0,n]} C Gs hence Gs cannot be finite, thus contradicting 
Condition [TJ 

It is however possible to define base-complete procedures for less general 
specifications, that are still of a practical value. 

Definition 42. Let x be a special constant symbol of sort int, let m be a 
natural number distinct from and let Tb be a set of ground terms of sort int 
not containing \- We denote by B% the specification (2^, <£' z ) defined as follows. 
Ax(Jx) = Ax(X z ) U {x > t + m \ t e T B }, where Ax(I z ) is defined in Example[7] 
(Section 12. 5p . £' z contains every clause set S such that every non-ground literal 
occurring in a clause in S is of one of the following forms: 



• 



• 



• 



X j£ t or t ^ x for some variable x and for some ground term t £ Tg; 

x ■£ y for some variables x, y; 

x gk k t for some k £ N\ {0} that divides m, some ground term t € Tb and 
some variable x. 



Intuitively, the constant x occurring in Ax(Z^) is meant to translate the fact 
that the terms appearing in S admit an upper bound (namely x). It is clear 
that if S is an arbitrary set of arithmetic clauses (not containing the special 
constant %), then the set Tb and the integer m can be computed so that S 
indeed belongs to £' z . 

Definition 43. For every set of clauses S £ <t^, let B$ be the set of ground 
terms t such that either t = x or & contains an atom of the form x < t. We 
define the instantiation procedure Oz by: Qz(S) = S, G z , where G| is defined 
by: G| = {t-l \teB s ,0<l<m}. 

The two following propositions are straightforward consequences of the def- 
inition: 

Proposition 44. If S C S" then G§ C G% . 
Proposition 45. G% = G|* . 
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Proof. This is immediate because the set of ground terms occurring in S$ is 
the same as that of S, since the atoms in S$ are pure instances of atoms in S. 
Thus Bs*, = B s . 

Theorem 46. Qz is base-complete if B = B%. 

Proof. We adopt the following notations for the proof: given a set of terms 
W, we write x ^ W for \J teW x jC t and x ^ W for \/ teW x ^ t. Additionally, 
if if is a set of pairs (k, t) G N x T lnt then we denote by -<K (x) the disjunction 

V \k,t)eK x 9^k t- 

Let S£ Cj and assume that S is S^-unsatisfiable, we prove that Qz{S) 
is also £>z-unsatisfiable. Let I G Z^, then in particular, I (= {% > t + m \ 
iisa ground term in S'}. Let C be a clause in S such that I y= C. By definition 
of C^i C can be written as C — D V ViLiO^i 1^ UiV x t ^ 1^ V ^i^X;]}, where 
.D is ground and where the JCj's (1 < i < n) denotes distinct variables 10 !. Since 
I ^= C, there exists a ground substitution 9 such that / ^= C8, i.e., for all 
J e [l,n]: 

• Vw G f/j, [aijfl]/ < [u]/; 

• VZ G L h [l]i < [ Xi e}i; 

• y(k,t)eK h [xi6]i~ k [t]i. 

If [xi8]i is such that \xid\i > [x]i, then it is straightforward to verify that 
[xiQ]i — m satisfies the same conditions, since for all terms £ in UiULi, [x]i — m > 
[£]/, and since m is a common multiple of every k occurring in Ki. We may 
therefore assume that [Xi6]i < [\]i- 

We denote by Ui an element in Ui U {%} such that [ui]i is minimal in {[u]i \ 
tieC/jU {x}}, and by m^ the greatest integer such that mi < [ui]j and for every 
(fc,t) G -£Q, mj ~fe £ holds; the existence of m s is guaranteed by what precedes 
and [xi6)i < mi- We cannot have rrn + m < Ui, because otherwise rrii would 
not be the greatest integer satisfying the conditions above. Thus, necessarily, 
mi > [ui]i — to, and there must exist a term Vi G G§ such that [vi]i = nit. 
Let a = {x-i t-> Vi \ i G [1,ti]}, we deduce that I ^ Cct. Since Ccr G S^ G z , we 
conclude that S\ G z is yBz-unsatisfiable, hence the result. 

By construction, Go is finite, hence Condition [Tl of Definition [2T1 is satisfied. 
By Propositions l44l and l45l Conditions [2] and [3] are satisfied, respectively, which 
concludes the proof. ■ 

4.1.2 Term Algebra with Membership Constraints 

We give a second example of a specification for which a base-complete instan- 
tiation procedure can be defined. We consider formulae built over a signature 
containing: 



J Note that the sets Ui, Li and Ki could be empty. 
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• a set of free function symbols E; 

• a set of constant symbols interpreted as ground terms built on E; 

• a set of monadic predicate symbols *$, each predicate p in ^3 is interpreted 
as a (fixed) set p of ground terms built on E. We assume that the emptiness 
problem is decidable for any finite intersection of these sets (for instance 
p can be the set of terms accepted by a regular tree automaton, see [9] for 
details). 

From a more formal point of view: 

Definition 47. Let E C Tb- We denote by T(E) S the set of ground terms of 
sort s built on E. Let *}3 be a finite set of unary predicate symbols, together 
with a function p i— > p mapping every symbol p : s — >• bool G *}3 to a subset of 
T(E) S . 

We denote by _4 6 the specification (X G , £ G ) where: 

• Ax(I e ) contains the following axioms: 

Vt £ T(s) s x — t for s e S B , X € X B , 

Xi^ViV f(xi, ...,x n )qk f(yi, ...,y n ) if / £ E, i e [1, n] 

p{x)yt^p if p e *p, t ep. 

• Every non-ground atom in £ e is of the form ->p(x), or of the form x cf±t 
for some ground term t. <0 

The axioms of Ax(I 6 ) entail the following property which is proved by a 
straightforward induction on the depth of the terms: 

Proposition 48. For all interpretations I G I e and all terms t,t' occurring in 
a clause in £ e , if [t]i = [t']i then t = t' . 

If the sets in {p | p s *P} are regular then A^ is well-known to be decidable, 
see, e.g., [TU]. We define the following instantiation procedure for A^: 

Definition 49. Let G| be a set of ground terms containing: 

• Every ground term t such that S contains an atom of the form x c£ t. 

• An arbitrarily chosen ground term sp £ H-peP-Pi f° r each P C ty such 
that flpepP t^ ^ (recall that the emptiness problem is assumed to be 
decidable) . 

Let0 e d =X G| . 

Theorem 50. e is base-complete if B = A^ ■ 
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Proof. Let C be a clause in <£ e , C is of the form V™=i *» 9^ U v Vl!Li ~^Pi{Vi)^ D 
where D is ground, a^ and yj (i G [1, n], j € [1, m]) are variables, tj is a ground 
term for i G [l,n] and pj G *P for j G [l,w]. Let X = {xx,...,X n } and 
V = {yi, . . . , y m }; note that these sets are not necessarily disjoint. For every 
variable y G Y we denote by P y the set of predicates pj (1 < j < m) such that 
j/j = y and we let s y = Sp y . Consider the substitution a of domain X L)Y such 
that: 

• XiG = ii for every i G [l,n]; 

• if y G y \ X then ya = s y (notice that s y must be defined since y EY) 



We prove that Ca ^A e C. 

Let / be an interpretation such that / \= Ca and I J£ C, Then there 
exists a substitution 9 such that / Y= C9, which implies that for all i G [l,n], 
[xiO]i = [ti]i, and for all j G [l,m], [yjO]i G [pj]i- Proposition 05] entails that 
X{9 = ti for all i G [1, n], and yj9 G Pj for all j G [1, m]. Thus, in particular, for 
all x G X, xa — x9, and for all y € Y \ X, f] peP p ^ 0- 

Since I \= Ca and XiO = £j for all i G [l,n], there must exist a j G [1,jto] 
such that [yj<j]i £■ [pj]i] and, again by Proposition |48l this is equivalent to 
yjcr ^ pj. If yj G X, then yjO = yjO ^ pj and I (= C#, which is impossible. 
Thus y j G y \ X, and since Hpep P 7^ $j by construction, yjO = s yj G p}; this 

contradicts the assumption that yjO £ pj. 

Since Ca ^A e G, we deduce that for every clause C G S, there exists a 
D G <SY G € such that D \=A e C, and therefore, 5 =A e S±qg. By construction, 
G| is finite, Gf = G|* and G| C G|, if S C S". Hence all the conditions of 
Definition [5T] are satisfied. ■ 

4.2 Combination of Specifications 

Building on the results of the previous section, we now provide some concrete 
applications of Theorem 1251 

4.2.1 Combining First-order Logic without Equality and Presburger 
Arithmetic 

We begin with a simple example to illustrate how the method works. We show 
how to enrich the language of first-order predicate logic with some arithmetic 
constraints. We assume that T contains no function symbol of co-domain int 
other than the usual symbols 0, s, +, — introduced in Section [2751 

Let A/foi be the restriction of the specification A{ \ defined in Example [6] 
to non-equational clause sets (i.e. to clause sets in which all atoms are of the 
form t ~ true). We consider the combination Af{ \[Bz] of the specification B% 
introduced in Section [4.1.11 with A/foi. According to Theorem 051 ©z is base- 
complete for Bi; thus, in order to apply Theorem 1251 we only need to find a 
nesting-complete instantiation procedure for A/foi- We will use an instantiation 



25 



procedure based on hyper linking [22) . It is defined by the following inference 

rule: 

y"_ih,mi VCi,...,m„ V C„ . , ., 

— *—i=± ^-jn — it a is an mgu. of the \li,m\) s. 

Vi=l 'i " 

If 5 is a set of clauses, we denote by 0j ol (5) the set of clauses that can 
be obtained from S by applying the rule above (in any number of steps) and 
by Qfoi{S) the set of clauses obtained from Qfoi(S) by replacing all remaining 
variables of sort s by a constant symbol _L S of the same sort. 

Proposition 51. Qfoi is nesting- complete for Nfoi- 

Proof. In 22 , it is proven that S and ©fo^S 1 ) are equisatisfiable, thus Con- 
dition Q] of Definition \W\ holds; furthermore, by definition, 0f o i is monotonic. 
To verify that 0f o i is S^-invariant, it suffices to remark that if a clause D is 
deducible from a set of clauses S by the instantiation rule above, then for every 
Ss-mapping a, a(D) must be deducible from 0f o i(a(5)), since the unifiers are 
not affected by the replacement of ground terms: if an mgu maps a variable x 
to a term t in 5, then the corresponding mgu will map x to a(t) in a(S). ■ 

Theorem [231 guarantees that 0foi[0z] is complete for Mio\\B%[. Note that in 
general, 0foi[@z] (and 0f o i) are not terminating. However, 0f o i[0z] is terminat- 
ing if the set of ground terms containing no subterm of sort int (and distinct 
from "int) is finite (for instance if J- contains no function symbol of arity greater 
than and of a sort distinct from int). 

Example 52. Consider the following set of clauses S, where i,j denote vari- 
ables of sort int, x,y denote variables of sort s, and T contains the following 
symbols: a, b : int, c, d : s, p : int x s — ¥ bool and q : int x s x s — > bool. 

(1) -ip(i, aj) V ->q(i, y) V r(i, x, y) 

(2) p(a,c) 

(3) JitbVq(j,d) 

(4) i^ 2 0\/^r{i,x,y) 

Clauses (2) and (3) are not in A. Indeed, the non-arithmetic atom p{a, c) 
contains a non- variable arithmetic subterm a and (3) contains a literal j -ft b that 
is not allowed in Bz (see Definition l4"2"l) . Thus these clauses must be reformulated 
as follows: 

(2)' i i- aV a £ i Vp(i,c) 
(3)' j£b-lVq(j,d) 

To apply the procedure 0f o i[0z], we compute the set S N and replace every 
arithmetic variable occurring in it by a special constant • of sort int: 



S 



-ip(«, x) V -ig(*, y) V r(; x, y) 

q(»,d) 
-^r(;x,y) 

2G 



We apply the procedure 0f o i- The reader can verify that we obtain the 
following clause set: 



e fo i(5 
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-*(•, J-)V -■«(•, ±)Vr(«, J.,. 

p(;c) 

q(;d) 

-^(•,-L.J.) 

-.p(», c) V -.g(», d) V r(», c, d) 

-.r(»,c,d) 



Next we consider the clauses in S B : {i ^ a V a ^ i, j j£ 6 — l,z 9^2 0} 
and compute the set G^ B , £ , according to Definition |43] The terms occurring as 
the right operands of a symbol < are {a, b — 1}. The least common multiple 
of all the natural numbers k such that S B contains a comparison modulo k is 
2. Thus G§ Bz = {a, b - 1, a - 1,6 - 2}. To get the clause set 0[0 Z ](S), the 
substitutions generated by are combined with all instantiations of integer 
variables by elements of G^b z • This yields: 

-.p(a,_L)V-.«(a,_L)Vr(a,-L J J-) p(o,c) 

-np(6 - 1, ±) V -ng(b - 1, ±) V r(6 - 1, ±, J.) p(6 - 1, c) 

-np(a - 1, _l_) V ->g(a - 1, _L) V r(a - 1, -L, -L) p(o - 1, c) 

-.p(6 - 2, _L) V -.9(6 - 2, ±) V r(6 - 2, _L, _L) p(a - 2, c) 

-u-(a,_L, _L) -ir(o,C, d) 

-.r(6-l,JL,±) -ir(6-l,c,d) 

->r(o — 1, _L, _L) -ir(a— l,c, d) 

-ir(& - 2, _L, _L) -.r(&-2,c,d) 

-ip(a,c) V ->g(a, d) V r(a, c, d) q{a,d) 

-.p(6 - 1, c) V -.g(6 - 1, d) V r(& - 1, c, d) g(& - 1, d) 

-^p(a — 1, c) V ^g(a — 1, d) V r(a — 1, e, d) g(a — 1, d) 

-ip(& - 2, c) V ->#(& - 2, d) V r(b - 2, c, d) q(b - 2, d) 

The resulting set of clauses is A/foi [Bz]-unsatisfiable, hence, so is S. 

4.2.2 Arrays with Integer Indices and Uninterpreted Elements 

The specification of arrays with integer indices and uninterpreted elements can 
be defined as a hierarchic expansion of the base specification Bz defined in 
Section ^. 1.11 with a simple specification A/a = (2foii £a), where the clauses in Ca 
are built on a set of variables of sort int, on a signature containing only constant 
symbols of sort array or elem and a function symbol select : array x int — > 
elem. We have assumed that Ca contains no occurrence of the function symbol 
store for convenience. There is no loss of generality: indeed, every definition of 
the form s — store(i, i, a) where s, t, i, a are ground terms can be written as the 
conjunction of the following clauses: 

select (s, i) = v 

i + l^zV select(s, z) ~ select (t, z) 

z^i-lV select(s, z) ~ select (t, z) 
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It is simple to verify that these three clauses are in Ca- Obviously, the last two 
clauses are equivalent to z ~ i V select(s, z) ~ select(t, z). 

There exists a straightforward nesting-complete instantiation procedure for 
A/a: namely the identity function id(S) = S. This is indeed an instantiation 
procedure since all the variables occurring in £a are of type int; these variables 
will already be instantiated by the instantiation procedure for Bi and the re- 
maining clause set will be ground. The following result is a direct consequence 
of Theorem [25] 

Proposition 53. id[9z] is complete for J\f&[Bz] . 

We provide some examples of properties that have been considered in [51 
[5TJI2D], and can be expressed in A/"a[Sz] (t,f denotes constant symbols of sort 
array). 

(1) Vi, a ■£. i V i £ b V select (i, i) ~ v 

— t is constant on [a, b] . 

(2) Vi, a % i V i % b V select(£, i) ~ select(i', i) 

— t and t coincide on [a, b] . 

(3) Vi, j, a ^ i V i £ b V Vc ^ j V j ^ a! V select(i, i) 9^ select(i', j) 

— The restriction of t and t to [a, b] and [c, d] respectively are disjoint. 

(4) Vi, j, i 9^2 V j 9^2 1 V select(t, i) ^ select(t, j) 

— The values of t at even indices are disjoint from the ones at odd ones. 

(5) Vi, i 9^2 V select(t, i) ~ select(t', i) V select(£, i) ~ select (i", i) 

— For every even index, the value of t is equal to the value of t or t . 

(6) Vi, i ^ Vi £ dV select (M) ^ - 1 
Vi, i ^ succ(d) V select(£, i) ~ _L 

— Array t has dimension d. 

(7) Vi, select(map(/, t),i) ~ /(select(t,i)) 

— Array map(/, i) is obtained from £ by iterating function /. 

Properties (1-3) can be expressed in the Array property fragment (see [B]), 
but not Property (4), because of condition i ~ 2 0. Property (4) is expressible 
in the Logic for Integer Arrays (LIA) introduced in [21], but not Property (5), 
because there is a disjunction in the value formula. 

On the other hand, Properties such as Injectivity cannot be expressed in our 
setting: 

(8) Vi,j, i ~ j V select(i,i) qk select(£,j) 

— t is injective. 

(9) Vi, j, i ~ j V select (t, i) 9^ select (t, j) V select(£, i) ~ _L 

— £ is injective on its domain. 

Indeed, the literal i ~ j is not allowed in fi^. 

4.2.3 Arrays with Integer Indices and Interpreted Elements 

Instead of using the mere specification A/a, one can combine the specification B% 
with a richer specification, with function and predicate symbols operating on the 
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elements of the arrays. For instance, consider the specification A/jf = (Ir, <£*), 
where Ax(Xr) is some axiomatization of real closed fields over a signature J-r 
and the clauses occurring in C^ are built on a set of variables of sort int and 
on a signature containing all function symbols in J-r, constant symbols of sort 
array or real and a function symbol select : array x int — > real. Then 
■A/jf [B%\ is the specification of arrays with integer indices and real elements, and 
an immediate application of Theorem 1251 yields: 

Proposition 54. id[Qz] is complete for N^[B%]. 

To model arrays with integer indices and integer elements, it is necessary 
to use a combination of the specification Bz with a specification containing the 
symbols in Bz'- : int, s : int — ► int, <: int x int — > bool, etc. However, this 
is not permitted in our approach since the clause sets of the nesting specification 
would contain function symbols whose co-domain would be a sort of the base 
specification (namely int), thus contradicting the conditions on Sb and S^r 
(see Section 13. ip . A solution is to use a copy of the sort int and of every 
symbol of co-domain int. We denote by J\ff the specification (ZJ, £z) where 
Ax (Ig) is the image of Ax(Zz) by the previous transformation and where the 
clause sets in £^ are built on a set of variables of sort int and on a signature 
containing all function symbols 0', s', <',. . . in Ax(I^), constant symbols of sort 
array or int' and a function symbol select : array x int — > int'. Then Af^[Bz] 
is a specification of arrays with integer indices and integer elements, and by 
Theorem [251 *d[6 z ] is complete for Nf[B%]. 

Note however that, due to the fact that the sort symbols are renamed, equa- 
tions between integer elements and integer indices are not permitted: indices 
cannot be stored into arrays and terms of the form select (t, select (t,i)) are for- 
bidden. However, the sharing of a constant symbol c between the two sorts int 
and int' (as in the equation: select(i,c) ~ c) is possible, by adding ground ax- 
ioms of the form: k ~ c => k! ~ c', where c' denotes the copy of c, k is any integer 
in int and k' denotes its copy in int'. Let A denote this set of axioms; it is ob- 
vious that A is countably infinite. It is clear that id[Qz](Sli A) = id[<dz](S) U A, 
so that the instantiation procedure is not affected by this addition. Thus these 
axioms can be simply removed afterward by "merging" int and int' and by re- 
placing c' by c (it is straightforward to verify that this transformation preserves 
satisfiability). 

We provide some examples. <' and +' are renaming of the symbols < and 
-I- respectively. Notice that the indices of the arrays are of sort int, whereas the 
elements are of sort int'. The following properties can be expressed in J\f^[B%\: 

(1) Vi,j, i ^ j V select^, i) <' selcct(i, j) 

— t is sorted. 

(2) Mi, j, a ^ i V i ^ b V c ^ j V j ^ c V select^, i) <' se\ect(t',j) 

— The values of t at [a, b] are lower than the ones of t' at [c, d] . 

(3) Vi, i j± 2 V i ^ n V select^, i) ~' select(i', i) +' select^", i) 

— For every even index lower than n, t is the sum of t' and t" . 
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Here are some examples of properties that cannot be handled: 

(4) Vi, select (t, i) ~ i 

— t is the identity. 

(5) Vi, select(£, i) - select (t, i + 1) < 2 

— The distance between the values at two consecutive index 

— is at most 2. 

Property (4) is not in A/J [Bz] because there is an equation relating an element of 
sort int (i.e. an index) to an element of sort int' ^ int (an element). Property 
(5) could be expressed in our setting as Vi,j, j ^ i + lVse\ect(t,i) — select(t,j) < 
2 but the atom j gk i + 1 is not in Bz- Property (5) can be expressed in the 
logic LI A (see 21 ). This shows that the expressive power of this logic is not 
comparable to ours. 

These results extend straightforwardly to multidimensional arrays. 

4.2.4 Arrays with Translations on Arrays Indices 

In some cases, properties relating the value of an array at an index i to the value 
at index i + k for some natural number k can be expressed by reformulations. 

Definition 55. Let S be a clause set, containing clauses that are pairwise 
variable-disjoint. Let A be a function mapping every array constant to a ground 
term of sort int. S is shiftable relatively to A iff the following conditions hold: 

1. Every clause in S is of the form C V D, where D is a clause in A/J and 
every literal in C is of one of the following form: i ^ j + s, i ^ S, s ^ i, 
i ^k s, where i,j are variables of sort int, s is a ground term of sort int 
and A: is a natural number. 

2. For every clause C £ S and for every literal i ■£ j + s occurring in C, 
where i,j are variables and s is a term of sort int, C contains two terms 
of the form select(t, i) and select (t', j) where A(i') — A(t) is equivalent to 
s. 

3. If C contains two terms of the form select (i, i) and select(t', i) then X(t) = 
A(t'). 

4. If C contains a equation t ~ t' between arrays then X(t) = X(t r ). 

The existence of such a function A is easy to determine: conditions (2-4) 
above can immediately be translated into arithmetic constraints on the A(t)'s, 
and the satisfiability of this set of constraints can be tested by using any decision 
procedure for Presburger arithmetic. 

We define the following transformation of clause sets: 

Definition 56. Let t h-> if be an arbitrarily chosen function mapping all the 
constants t of sort array to pairwise distinct fresh constants t' of sort array. 
We denote by shift (S) the clause set obtained from S by applying the following 
rules: 
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• every clause C containing a term of the form select(t, i) (where i is a 
variable) is replaced by C{i M> i — X(t)}; 

• then, every term of the form select(£, s) is replaced by select (t', s + A(t)).0 

Lemma 57. Let S be a shiftable clause set. Then: 

• shift (S) and S are equisatisfiable. 

• shift {S) isinNl[Bz]. 

Proof. It is clear that for every clause C in S, C = C{i M> i — k}: since i 
ranges over all integers, i and i — k range over the same set. The replacement of 
select(t, s) by select (i', s + X(t)) obviously preserves sat-equivalence: it suffices to 
interpret t' as the array defined by the relation: select (t', i) = select(t, i — X(t)). 
Thus shift (5) and S are equisatisfiable. 

We prove that shift (5^ is in Nf[B%}. By Condition [3] of Definition ESI if 
a clause C{i M> i — X(t)} contains a term of the form select (s,i — X(t)) then 
we must have X(s) = X(t), thus this term is replaced by select(s',z) when the 
second rule above is applied. Consequently, the non- arithmetic part of the 
resulting clause cannot contain any non- variable term of sort int. Now assume 
that C contains an arithmetic literal of the form i < j + s. Then by condition^ 
C also contains terms of the form select (i,z) and select (t', j), where A(t') — X(t) 
is equivalent to s. Hence, the clause in shift(S') corresponding to C contains the 
literal i - X{t) < j - A(t') + s = i <j - (A(t') - X(t)) + s = i <j. m 

We provide an example in which this result applies. 
Example 58. Consider for instance the following clause set: 

(1) Vz, j, a ^ z V i jC b V j gk i — a V select (s, i) ~ select(i, j) 

— s is identical to t up to a shift of length a. 

(2) Vz, j, a j£ i V i jC bV j gk i — a V select(u, i) ~ select (s, j) 

— u is identical to s up to a shift of length a. 

(3) c > a + a 

(4) c < b 

(5) i gk cV j gk c~ a — aV select(u, c) gk select(i, j) 

— U is not identical to t up to a shift of length a + a. 

It is simple to check that S is shiftable relatively to the mapping: X(u) — a + a, 
X(s) = a and X(t) = 0. According to Definition [37J S is reformulated as follows: 



shift (5) 



shift(S) and S are equisatisfiable, and shift(S') belongs to A/^[2?z]- The unsat- 
isfiability of shift(S') can be proven by applying the procedure id[0z]. 



(!') 


Vz, £ i V i ^ b - 


- aV j gk i\/ select(s', i) ~ select (i', j) 


(2') 


Vi, ^ i V i ^ 6 - 


- aV j gk i\/ select (u', z) ~ select(s', j) 


(3) 


c > a + a 




(4) 


c< 6 




(5) 


i gk cV j gk c — a 


— a V select (V, c) ^ select (t',j) 
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4.2.5 Nested Arrays 

An interesting feature of this approach is that it can be applied recursively, 
using as base and/or nesting specifications some nested combination of other 
specifications. 

We denote by £>^ a C0 P V °f the specification B% in which the symbols int, 0, 
s, <, ... are renamed into int', 0', s' , <',... We denote by <d' z the corresponding 
instantiation procedure, as defined by Definition |43l Let Af& be a copy of the 
specification A/J, in which the symbols int', 0', s', <', select... are renamed 
into int", 0", a", <", select' . . . Let A% 3 = Nf [B'%] [B z ] ■ 

Proposition 59. id[0y[0z] is complete for Az 3 . 

In A% 3 , the (integer) indices of an array t can themselves be stored into 
arrays of integers, but of a different type than t. 

Example 60. The following clause set is „4z 3 -unsatisfiable (for the sake of read- 
ability we use t ^± s as a shorthand for t ^ s V t ^ s): 

(1) !<;V select(£, i) < select(£, j) 

— t is sorted. 

(2) i' < f V select' (t',i') <' select' (t',f) 

— t' is sorted. 

(3) a < b 

(4) x qk bV y 9^6V x 1 qk select(£, x) V y 1 ^k select(t, y) 

Vselect'(i',x') > select^',?/). 

— t'ot is not sorted. 

We describe the way the procedure works on this very simple but illustrative 
example. According to the definition of id[0y[0z], the variables i, j, x and y 
are replaced by a special symbol • and the instantiation procedure *rf[0y is 
applied. The variables i',j',x',y' are replaced by a constant symbol •' and the 
procedure id is applied on the resulting clause set (in a trivial way, since this set 
is ground). Next, we apply the procedure @' z . According to Definition l43l Q' z 
instantiates the variables i',j',x',y' by select(£,»). This substitution is applied 
to the original clause set and the procedure ©z is invoked. The variables i, 
j, x and y, and the constant symbol • are replaced by {a, b}. After obvious 
simplifications, we obtain the following set of instances: 

a < 6 V select(£, a) < select(£, b) 
b < a V select(£, b) < select(£, a) 
select(£, a) < select(i,a) V select' (£',select(£, a)) <' select'(£',select(£,a)) 
select(£, a) < select(i, b) V select' (t' , select(i, a)) <' select' (£', select(i, &)) 
select(i, b) < select(£, b) V select' (t', select(i, b)) <' select' (t' , select(i, b)) 
select(£, b) < select(i, a) V sclect'(i', select(£, a)) <' select' (t' , select(i, a)) 

a < b 
select' (i', select (t, a)) > select'(£',select(£, b)) 
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At this point, <' may be simply replaced by < (this operation obviously 
preserves equisatisfiability) and the resulting clause set can be refuted by any 
SMT-solver handling ground equality and integer arithmetic. 

Such nested array reads are outside the scope of the Array property fragment 
of [6] and of the Logic LIA of [21J . They are not subsumed either by the 
extensions of the theory of arrays considered in [20 . Note that, due to the 
fact that we use distinct renamings of the specification of integers, equations 
such as select(t', select(i, a)) ~ select (t', a) are forbidden (if arrays are viewed as 
heaps, this means that there can be no equation between pointers and referenced 
values) . 

5 Discussion 

In this paper we have introduced a new combination method of instantiation 
schemes and presented sufficient conditions that guarantee the completeness of 
the resulting instantiation scheme. As evidenced by the examples provided in 
Section 21 this combination method permits to obtain instantiation procedures 
for several theories that are quite expressive, at almost no cost. One direct 
consequence of these results is that it should be possible for developers of SMT 
solvers to focus on the design of efficient decision procedures for a few basic 
theories, such as, e.g., the theory of equality with uninterpreted function symbols 
(EUF) or Prcsburgcr arithmetic, and obtain efficient SMT solvers for a large 
panel of theories. 

This combination method may seem inefficient, since exponentially many 
ground clauses may be generated, except for the trivial cases. An interesting 
line of research is to investigate how incremental techniques can be implemented 
and the instantiations controlled so that the (un) satisfiability of the clause set 
under consideration can be detected before all clauses are instantiated in all 
possible ways. For instance, we believe it is possible - but this will probably 
depend on B and A/" - to devise more subtle strategies that begin by replacing 
base variables with the constants » s and applying the instantiation procedure for 
A/", and deriving additional information from the resulting set of ground clauses 
to avoid having to instantiate all base variables in all possible ways. Further 
investigations into this line of work could lead to the design of more powerful 
instantiation procedures that could enlarge the scope of modern SMT solvers 
by making them able to handle efficiently more expressive classes of quantified 
formula;. 
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